Approach 1 - Serve same data up as multiple services

Setup ArcGIS Server security and add roles for each organisation. You mention Windows Authentication, but im assuming that each organisation does not belong to one active directory, so I would recommend just using the default users & roles identity store within ArcGIS Server, and create one user under each organisation role, and provide those credentials to each organisation to use.

Secure each service to each organisation role.

Serve all of these services up in a web application, and making use of the Esri Javascript API (can use any API, or even the ArcGIS Viewer for Flex), you can prompt users to login using the Identity Manager. Each organisation will only see the corresponding service they are entitled to see. Make sure you overlay these services onto a nice looking basemap as well.

Approach 2 - Use one Map Service and make use of the QueryTask

Server up your points_layer as one map service.

Manage security outside of ArcGIS Server. Perhaps with basic authentication at the web server level, creating a different user account for each organisation to use.

Users hit a login page. Once prompted to login, they are then redirected to your web application. (Or the login is just a modal prompt on the actual web application page, redirecting you to a different page if incorrect credentials).

As the user (organisation) logs in, this then feeds in this user to a QueryTask to only display the relevant points from your one map service on the map.

These are just two ideas. Personally I would go with #2, but will depend on how secure this needs to be (#1 is more secure), how many points/organisations you have, and how much server power do you have (#1 will suck up more resources).

Id wait awhile to see what other answers pop up, as there may well be a better way.